Splunk Search

How to add pagination to SimpleResultsTable panels and how to resolve a timechart truncation issue?

jward6004
Explorer

I've trying to add pagination to my simpleresultstable panels. My default the panel shows a count of 10; I can achieve more results by modifying the count parameter for the simpleresultstable module using the Sideview Editor app. However, I'd like the results to give a paging option as you'd see with a normal Splunk search with many results.

I also have a timechart panel for this dashboard and I'm getting a message "search generated too much data for the current display configuration, results have been truncated." I'm not interested or think it's plausible to graph all search results but I'd like the top 50 - 100? Is there a way to achieve this? What I've read on similar Splunk Answers threads has not worked thus far.

1 Solution

cmerriman
Super Champion

In advanced XML, the module for adding pages is <module name="Pager">, but advanced XML is deprecated, so if you're able to recreate this dashboard in simple XML, that is recommended.

this is a sample of one of my leftover advanced XML dashboard that uses Pager in a SimpleResultsTable

   <module name="PostProcess">
           <param name="search">QUERY</param>
                <module name="Pager">
                 <module name="SimpleResultsTable" />
                      <param name="cssClass">table-chrome table-striped</param>
                       <module name="SearchControls">
                            <param name="sectons"/>
                       <module name="Pager" />
                    </module>
                 </module>
              </module>
         </module>
     </module>

as for the timechart, you might be able to add |sort - count |head 50 to the end of your search, or something similar to grab the top 50 'count' (insert correct field name).

View solution in original post

sideview
SplunkTrust
SplunkTrust

The way to page the table modules is to use either the Sideview "Pager" module. Sometimes you'll also see the legacy Splunk "Paginator" module. Also note that the Sideview "Table" module offers quite a lot more features than the SimpleResultsTable module, although the look-and-feel is slightly different.

Check out the documentation within the Sideview Utils app itself, for the "Table" module. And if you don't see such a module it probably means you have the extremely old 1.3.X version of Sideview Utils - get the latest free from here - http://sideviewapps.com/apps/sideview-utils/

As far as the messaging in the charting module, that can get triggered if either there are too many rows or too many columns or both.
I think most of the time the question gets asked though, it's because there are too many columns, (if only because the solution is more obvious if it's too many rows). Post the search syntax and we can all advise further, but often this can be as simple as changing a limit clause in the timechart command. ie | timechart span=30s count by user limit=500 will split the results by the top 500 users, and bucket the times to the nearest 30 seconds. Depending on the timerange this can be both far too many rows and far too many users for the JSChart module to display.

Incidentally, Splunk's older FlashChart module has a significantly higher limit than JSChart, I think on both axes. =/ As a short-term fix I have replaced JSCharts with FlashChart while the SPL was being reworked.

0 Karma

cmerriman
Super Champion

In advanced XML, the module for adding pages is <module name="Pager">, but advanced XML is deprecated, so if you're able to recreate this dashboard in simple XML, that is recommended.

this is a sample of one of my leftover advanced XML dashboard that uses Pager in a SimpleResultsTable

   <module name="PostProcess">
           <param name="search">QUERY</param>
                <module name="Pager">
                 <module name="SimpleResultsTable" />
                      <param name="cssClass">table-chrome table-striped</param>
                       <module name="SearchControls">
                            <param name="sectons"/>
                       <module name="Pager" />
                    </module>
                 </module>
              </module>
         </module>
     </module>

as for the timechart, you might be able to add |sort - count |head 50 to the end of your search, or something similar to grab the top 50 'count' (insert correct field name).

sideview
SplunkTrust
SplunkTrust

A couple small heads up's - Pager and SearchControls are both Sideview Utils modules, making this more what you call "Sideview XML" than Advanced XML, technically. Even in today's code base Sideview Utils has rewritten most of the underpinnings of the module framework. Current development efforts for Sideview Utils have been taking this much much further, completely replacing all of the legacy Splunk modules, systems and libraries, and in the process making speed improvements and even some feature improvements. The plan is that before the "advanced xml" and its supporting systems are removed from Splunk, there will be a simple path for such views to continue on, and even then you will not have to convert these views to Simple XML or SplunkJS. Subscribe to the Sideview Utils mailing list on our site for more info.

jward6004
Explorer

Thank you! Both of my issues were fixed with the help of your suggestions. I used an order of search > switcher > postprocess > html > PAGER > SimpleResultsTable. This displayed my data at 10 events with pagination as I wanted.

For the truncation issue on my timechart panels... replacing jschart with FlashChart allowed me to display more results (1000 by default).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...